Bluetooth Filter Driver for DS3-compatibility - research notes



  • This is the last (still working) Chinese ripoff-DS3 I currently possess and it connects as well 🤠

    0_1547059434312_8b7e4079-2500-48e1-a869-73ab9d6f16a8-image.png

    2019/01/09-19:39:23.848	>> L2CAP_Connection_Request [Code: 0x02, Identifier: 0x01, Length: 4, PSM: 0x5053, SCID: 0x0040]
    2019/01/09-19:39:23.858	<< L2CAP_Connection_Response [Code: 0x03, Identifier: 0x01, Length: 8, DCID: 0x0000, SCID: 0x0040, Result: 0x0001, Status: 0x0000]
    2019/01/09-19:39:23.858	<< L2CAP_Connection_Response [Code: 0x03, Identifier: 0x01, Length: 8, DCID: 0x0040, SCID: 0x0040, Result: 0x0000, Status: 0x0000]
    2019/01/09-19:39:23.858	<< L2CAP_Configuration_Request [Code: 0x04, Identifier: 0x01, Length: 8, DCID: 0x0040, Flags: 0x0000, Options: 0xFFFF0201]
    2019/01/09-19:39:23.871	>> L2CAP_Configuration_Request [Code: 0x04, Identifier: 0x02, Length: 4, DCID: 0x0040, Flags: 0x0000, Options: 0x00001000]
    2019/01/09-19:39:23.871	<< L2CAP_Configuration_Response [Code: 0x05, Identifier: 0x02, Length: 6, SCID: 0x0040, Flags: 0x0000, Result: 0x0000, Options: 0x0000]
    2019/01/09-19:39:23.873	>> L2CAP_Configuration_Response [Code: 0x05, Identifier: 0x01, Length: 10, SCID: 0x0040, Flags: 0x0000, Result: 0x0000, Options: 0x0201]
    2019/01/09-19:39:23.880	>> L2CAP_Connection_Request [Code: 0x02, Identifier: 0x03, Length: 4, PSM: 0x5055, SCID: 0x0041]
    2019/01/09-19:39:23.880	<< L2CAP_Connection_Response [Code: 0x03, Identifier: 0x03, Length: 8, DCID: 0x0000, SCID: 0x0041, Result: 0x0001, Status: 0x0000]
    2019/01/09-19:39:23.880	<< L2CAP_Connection_Response [Code: 0x03, Identifier: 0x03, Length: 8, DCID: 0x0041, SCID: 0x0041, Result: 0x0000, Status: 0x0000]
    2019/01/09-19:39:23.880	<< L2CAP_Configuration_Request [Code: 0x04, Identifier: 0x02, Length: 8, DCID: 0x0041, Flags: 0x0000, Options: 0xFFFF0201]
    2019/01/09-19:39:23.893	>> L2CAP_Configuration_Request [Code: 0x04, Identifier: 0x04, Length: 4, DCID: 0x0041, Flags: 0x0000, Options: 0x00001000]
    2019/01/09-19:39:23.893	<< L2CAP_Configuration_Response [Code: 0x05, Identifier: 0x04, Length: 6, SCID: 0x0041, Flags: 0x0000, Result: 0x0000, Options: 0x0000]
    2019/01/09-19:39:23.894	>> L2CAP_Configuration_Response [Code: 0x05, Identifier: 0x02, Length: 10, SCID: 0x0041, Flags: 0x0000, Result: 0x0000, Options: 0x0201]
    


  • DualShock 4 (Revision 1) connection sequence

    0_1547064933258_759bd2c1-8fe3-4260-8dc5-5170dcfdb563-image.png

    2019/01/09-21:11:02.588	<< L2CAP_Connection_Request [Code: 0x02, Identifier: 0x02, Length: 4, PSM: 0x0001, SCID: 0x0040]
    2019/01/09-21:11:02.597	>> L2CAP_Connection_Response [Code: 0x03, Identifier: 0x02, Length: 8, DCID: 0x0040, SCID: 0x0040, Result: 0x0001, Status: 0x0002]
    2019/01/09-21:11:02.599	>> L2CAP_Connection_Response [Code: 0x03, Identifier: 0x02, Length: 8, DCID: 0x0040, SCID: 0x0040, Result: 0x0000, Status: 0x0000]
    2019/01/09-21:11:02.599	<< L2CAP_Configuration_Request [Code: 0x04, Identifier: 0x03, Length: 8, DCID: 0x0040, Flags: 0x0000, Options: 0x04000201]
    2019/01/09-21:11:02.610	>> L2CAP_Configuration_Response [Code: 0x05, Identifier: 0x03, Length: 10, SCID: 0x0040, Flags: 0x0000, Result: 0x0000, Options: 0x0201]
    2019/01/09-21:11:02.612	>> L2CAP_Configuration_Request [Code: 0x04, Identifier: 0x01, Length: 8, DCID: 0x0040, Flags: 0x0000, Options: 0x04000201]
    2019/01/09-21:11:02.612	<< L2CAP_Configuration_Response [Code: 0x05, Identifier: 0x01, Length: 6, SCID: 0x0040, Flags: 0x0000, Result: 0x0000, Options: 0x0000]
    2019/01/09-21:11:02.612	<< L2CAP_Disconnection_Request [Code: 0x06, Identifier: 0x00, Length: 0, DCID: 0x350F, SCID: 0x1903]
    2019/01/09-21:11:02.623	<< L2CAP_Disconnection_Request [Code: 0x06, Identifier: 0x00, Length: 1, DCID: 0x350F, SCID: 0x1903]
    2019/01/09-21:11:04.088	<< L2CAP_Disconnection_Request [Code: 0x06, Identifier: 0x00, Length: 2, DCID: 0x350F, SCID: 0x1903]
    2019/01/09-21:11:04.449	<< L2CAP_Disconnection_Request [Code: 0x06, Identifier: 0x00, Length: 3, DCID: 0x350F, SCID: 0x1903]
    2019/01/09-21:11:04.513	<< L2CAP_Disconnection_Request [Code: 0x06, Identifier: 0x00, Length: 4, DCID: 0x350F, SCID: 0x1903]
    2019/01/09-21:11:04.718	<< L2CAP_Disconnection_Request [Code: 0x06, Identifier: 0x00, Length: 5, DCID: 0x350F, SCID: 0x1903]
    2019/01/09-21:11:05.031	<< L2CAP_Connection_Request [Code: 0x02, Identifier: 0x04, Length: 4, PSM: 0x0011, SCID: 0x0041]
    2019/01/09-21:11:05.069	>> L2CAP_Connection_Response [Code: 0x03, Identifier: 0x04, Length: 8, DCID: 0x0041, SCID: 0x0041, Result: 0x0001, Status: 0x0002]
    2019/01/09-21:11:05.091	>> L2CAP_Connection_Response [Code: 0x03, Identifier: 0x04, Length: 8, DCID: 0x0041, SCID: 0x0041, Result: 0x0000, Status: 0x0000]
    2019/01/09-21:11:05.091	<< L2CAP_Configuration_Request [Code: 0x04, Identifier: 0x05, Length: 8, DCID: 0x0041, Flags: 0x0000, Options: 0x02A00201]
    2019/01/09-21:11:05.135	>> L2CAP_Configuration_Response [Code: 0x05, Identifier: 0x05, Length: 10, SCID: 0x0041, Flags: 0x0000, Result: 0x0000, Options: 0x0201]
    2019/01/09-21:11:05.156	>> L2CAP_Configuration_Request [Code: 0x04, Identifier: 0x02, Length: 8, DCID: 0x0041, Flags: 0x0000, Options: 0x02A00201]
    2019/01/09-21:11:05.156	<< L2CAP_Configuration_Response [Code: 0x05, Identifier: 0x02, Length: 6, SCID: 0x0041, Flags: 0x0000, Result: 0x0000, Options: 0x0000]
    2019/01/09-21:11:05.156	<< L2CAP_Connection_Request [Code: 0x02, Identifier: 0x06, Length: 4, PSM: 0x0013, SCID: 0x0042]
    2019/01/09-21:11:05.192	>> L2CAP_Connection_Response [Code: 0x03, Identifier: 0x06, Length: 8, DCID: 0x0042, SCID: 0x0042, Result: 0x0001, Status: 0x0002]
    2019/01/09-21:11:05.199	>> L2CAP_Connection_Response [Code: 0x03, Identifier: 0x06, Length: 8, DCID: 0x0042, SCID: 0x0042, Result: 0x0000, Status: 0x0000]
    2019/01/09-21:11:05.199	<< L2CAP_Configuration_Request [Code: 0x04, Identifier: 0x07, Length: 8, DCID: 0x0042, Flags: 0x0000, Options: 0x02A00201]
    2019/01/09-21:11:05.209	>> L2CAP_Configuration_Response [Code: 0x05, Identifier: 0x07, Length: 10, SCID: 0x0042, Flags: 0x0000, Result: 0x0000, Options: 0x0201]
    2019/01/09-21:11:05.212	>> L2CAP_Configuration_Request [Code: 0x04, Identifier: 0x03, Length: 8, DCID: 0x0042, Flags: 0x0000, Options: 0x02A00201]
    2019/01/09-21:11:05.212	<< L2CAP_Configuration_Response [Code: 0x05, Identifier: 0x03, Length: 6, SCID: 0x0042, Flags: 0x0000, Result: 0x0000, Options: 0x0000]
    2019/01/09-21:11:07.797	<< L2CAP_Disconnection_Request [Code: 0x06, Identifier: 0x08, Length: 4, DCID: 0x0040, SCID: 0x0040]
    2019/01/09-21:11:07.801	>> L2CAP_Disconnection_Response [Code: 0x07, Identifier: 0x08, Length: 4, DCID: 0x0040, SCID: 0x0040]
    


  • Oof, code base growing rapidly 😲

    0_1547249461104_4e064261-c7a3-4eb8-8a13-c1fcfbd06181-image.png

    From top to bottom:

    • Profile driver
    • Filter driver
    • Driver installation utility


  • Enum BTH - Microsoft Bluetooth Enumerator

    0_1547251444420_ca5c635d-2be8-4358-b4d9-1849473af9f5-image.png

    0_1547251423220_6ea3077d-93fc-4f16-8ddc-efe543a129cb-image.png

    Enum USB - Generic Bluetooth Radio

    0_1547251570723_d1de37d7-b6da-4a75-9dae-7595f9a13709-image.png

    0_1547251746992_c6667e68-8eb4-4317-b746-8c8c579df759-image.png

    PlayStation 3 Peripherals Filter Driver

    0_1547252006112_97dc8e2f-53ec-42f6-882b-13a725649c6b-image.png

    0_1547252022063_82276012-0158-4d9d-a71e-34ca738b432e-image.png

    How the Heck do I get rid of the Advanced tab 🤔

    0_1547289468275_c76cdce4-f691-4fb5-90c8-6cfe38bd12cb-image.png



  • Working on BthPS3Util

    Creating a small command line utility for abstracting away the mess of creating filter device node, installing filter driver, enabling the filter and registering the service profile.

    0_1547897266264_3235ea5f-c436-4f3f-8969-a3b90a480c5c-image.png

    0_1547308197893_3fe40c51-c0ad-4bfa-98ae-0863ad41b749-image.png

    0_1547897296398_9b5bed5d-d8cf-4311-8149-26726d846457-image.png



  • Bloody hell, my mind was not prepared to deal with a state machine handling two L2CAP channels with all those async stuff happening and the tons of error handling required. Time for my favorite part in what I call (dramatic music playing 🎶 ) poke-in-the-dark-development:

    1. think about the solution
    2. code it
    3. think about it again
    4. realize it's flawed
    5. revert changes
    6. goto 1

    🤦‍♂️



  • Oddly enough I wasn't able to find an official way to get the remote device name from an incoming connection, just the MAC address. This isn't a showstopper but odd and annoying for device identification. Or am I missing something 🤔



  • @nefarius said in Bluetooth Filter Driver for DS3-compatibility - research notes:

    Oddly enough I wasn't able to find an official way to get the remote device name from an incoming connection, just the MAC address. This isn't a showstopper but odd and annoying for device identification. Or am I missing something

    Wait a minute... if I got this right, calling IOCTL_BTH_GET_DEVICE_INFO returns a BTH_DEVICE_INFO_LIST containing BTH_DEVICE_INFO which can then be matched against address and contains a name member:

    Name of the remote Bluetooth device, as reported by the device, encoded in UTF8. The user may have locally provided a display name for the remote Bluetooth device; that name is overridden, and does not appear in this member; it is accessible only with a call to the BluetoothGetDeviceInfo function.

    Bingo! The name isn't a 100% safe to rely on in device identification compared to the MAC address, but it's the best shot. It's important to react differently depending on the device type (DualShock 3, Navigation Controller, Motion Controller or DualShock 4 a.k.a. Wireless Controller). This is how it's currently done in WireShock:

    BD_ADDR_FROM_BUFFER(clientAddr, &buffer[3]);
    
    ULONG length;
    
    //
    // Scan through rest of buffer until null-terminator is found
    //
    for (length = 1;
    	buffer[length + 8] != 0x00
    	&& (length + 8) < NumBytesTransferred;
    	length++);
    
    //
    // Store remote name in device context
    //
    WireBusSetChildRemoteName(
    	Device,
    	&clientAddr,
    	&buffer[9],
    	length
    );
    
    switch (buffer[9])
    {
    case 'P': // First letter in PLAYSTATION(R)3 Controller ('P')
    	WireBusSetChildDeviceType(
    		Device,
    		&clientAddr,
    		DS_DEVICE_TYPE_PS3_DUALSHOCK
    	);
    	break;
    case 'N': // First letter in Navigation Controller ('N')
    	WireBusSetChildDeviceType(
    		Device,
    		&clientAddr,
    		DS_DEVICE_TYPE_PS3_NAVIGATION
    	);
    	break;
    case 'M': // First letter in Motion Controller ('M')
    	WireBusSetChildDeviceType(
    		Device,
    		&clientAddr,
    		DS_DEVICE_TYPE_PS3_MOTION
    	);
    	break;
    case 'W': // First letter in Wireless Controller ('W')
    	WireBusSetChildDeviceType(
    		Device,
    		&clientAddr,
    		DS_DEVICE_TYPE_PS4_DUALSHOCK
    	);
    	break;
    default:
    	TraceEvents(TRACE_LEVEL_ERROR,
    		TRACE_INTERRUPT,
    		"Couldn't determine device type from remote name (%c)",
    		buffer[9]
    	);
    	break;
    }
    

    I've discovered that a DS4 (Rev1) paired in PC-mode will also try to directly connect with PSM 0x11 and 0x13 in addition to the correct 0x01 and gets denied. It continues to work though; my best guess is that the controller simply tries if the Bluetooth host is a PS4 and changes its behavior accordingly. This is unfortunate for my profile driver, because now I need to know that it is a DS4, not a DS3, and deny the connection request because the filter will rewrite the PSMs as well. This rabbit hole... 😵



  • Quite interesting research. So putting this into simple terms, the filter driver will pickup the DS4 and will interpret it's requests instead? Which is bad because the DS4 has bluetooth support already.



  • @daltz333 said in Bluetooth Filter Driver for DS3-compatibility - research notes:

    Quite interesting research. So putting this into simple terms, the filter driver will pickup the DS4 and will interpret it's requests instead? Which is bad because the DS4 has bluetooth support already.

    The filter is stupid and has no idea what kind of device is connecting, it looks for Protocol/Service Multiplexer values 0x11 (HID Control) and 0x13 (HID Interrupt) and patches them to artificial values the profile driver listens on. So now the profile driver is in charge of handling the connection requests. The profile driver needs to know what kind of device connects because anything else than the PS3 peripherals could in theory use those PSMs as well. Now we also know that the DS4 tries them as well for whatever reason. It doesn't need to because it has a valid SDP record but I guess it does it to "poke" the Bluetooth host and switches to native PS4 mode if the PSMs get accepted. Who knows what would happen then.



  • Papers, please 👮

    2019/01/20-16:50:29.960	TRACE_LEVEL_INFORMATION	New connection for PSM 0x5053 from AC7A4D2819AC arrived
    2019/01/20-16:50:29.960	TRACE_LEVEL_INFORMATION	++ deviceInfoList.numOfDevices: 2
    2019/01/20-16:50:29.960	TRACE_LEVEL_INFORMATION	++ Device 0 address ACFD93095C20, name: Wireless Controller
    2019/01/20-16:50:29.960	TRACE_LEVEL_INFORMATION	++ Device 1 address AC7A4D2819AC, name: PLAYSTATION(R)3 Controller
    2019/01/20-16:50:29.981	TRACE_LEVEL_INFORMATION	New connection for PSM 0x5055 from AC7A4D2819AC arrived
    2019/01/20-16:50:29.981	TRACE_LEVEL_INFORMATION	++ deviceInfoList.numOfDevices: 2
    2019/01/20-16:50:29.981	TRACE_LEVEL_INFORMATION	++ Device 0 address ACFD93095C20, name: Wireless Controller
    2019/01/20-16:50:29.981	TRACE_LEVEL_INFORMATION	++ Device 1 address AC7A4D2819AC, name: PLAYSTATION(R)3 Controller
    2019/01/20-16:50:29.993	TRACE_LEVEL_INFORMATION	L2CAP_PS3_ConnectionIndicationCallback ++ IndicationRemoteConfigRequest
    

    We got the name! Delightful 😀



  • Some more hardening and error handling, that will be all for today 😌

    2019/01/20-18:11:22.457	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Entry
    2019/01/20-18:11:22.457	TRACE_LEVEL_INFORMATION	New connection for PSM 0x5053 from AC7A4D2819AC arrived
    2019/01/20-18:11:22.457	TRACE_LEVEL_VERBOSE	L2CAP_PS3_SendConnectResponse Entry
    2019/01/20-18:11:22.457	TRACE_LEVEL_ERROR	BTHPS3_GET_DEVICE_NAME failed with status STATUS_INVALID_PARAMETER (0xC000000D)
    2019/01/20-18:11:22.457	TRACE_LEVEL_VERBOSE	L2CAP_PS3_SendConnectResponse Exit (STATUS_SUCCESS (0x00000000))
    2019/01/20-18:11:22.457	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Exit
    2019/01/20-18:11:23.072	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Entry
    2019/01/20-18:11:23.072	TRACE_LEVEL_INFORMATION	New connection for PSM 0x5053 from AC7A4D2819AC arrived
    2019/01/20-18:11:23.072	TRACE_LEVEL_VERBOSE	L2CAP_PS3_SendConnectResponse Entry
    2019/01/20-18:11:23.072	TRACE_LEVEL_INFORMATION	++ Device AC7A4D2819AC name: PLAYSTATION(R)3 Controller
    2019/01/20-18:11:23.072	TRACE_LEVEL_VERBOSE	L2CAP_PS3_SendConnectResponse Exit (STATUS_SUCCESS (0x00000000))
    2019/01/20-18:11:23.072	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Exit
    2019/01/20-18:11:23.072	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Entry
    2019/01/20-18:11:23.072	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Exit
    2019/01/20-18:11:23.093	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Entry
    2019/01/20-18:11:23.093	TRACE_LEVEL_INFORMATION	New connection for PSM 0x5055 from AC7A4D2819AC arrived
    2019/01/20-18:11:23.093	TRACE_LEVEL_VERBOSE	L2CAP_PS3_SendConnectResponse Entry
    2019/01/20-18:11:23.093	TRACE_LEVEL_INFORMATION	++ Device AC7A4D2819AC name: PLAYSTATION(R)3 Controller
    2019/01/20-18:11:23.093	TRACE_LEVEL_VERBOSE	L2CAP_PS3_SendConnectResponse Exit (STATUS_SUCCESS (0x00000000))
    2019/01/20-18:11:23.093	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Exit
    


  • I'm feeling a cold creeping up on me but nevertheless managed to utilize enough brain power to implement resource cleanup on disconnect without a single BSOD! 🤠

    --- DS3 connecting ---
    2019/01/24-20:39:11.096	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Entry
    2019/01/24-20:39:11.096	TRACE_LEVEL_INFORMATION	New connection for PSM 0x5053 from AC7A4D2819AC arrived
    2019/01/24-20:39:11.096	TRACE_LEVEL_VERBOSE	L2CAP_PS3_SendConnectResponse Entry
    2019/01/24-20:39:11.096	TRACE_LEVEL_INFORMATION	++ Device AC7A4D2819AC name: PLAYSTATION(R)3 Controller
    2019/01/24-20:39:11.096	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Entry (Indication: 0x0, Context: 0xFFFFFA8007488780)
    2019/01/24-20:39:11.096	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Exit
    2019/01/24-20:39:11.096	TRACE_LEVEL_VERBOSE	L2CAP_PS3_SendConnectResponse Exit (STATUS_SUCCESS (0x00000000))
    2019/01/24-20:39:11.096	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Exit
    2019/01/24-20:39:11.112	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Entry
    2019/01/24-20:39:11.112	TRACE_LEVEL_INFORMATION	New connection for PSM 0x5055 from AC7A4D2819AC arrived
    2019/01/24-20:39:11.112	TRACE_LEVEL_VERBOSE	L2CAP_PS3_SendConnectResponse Entry
    2019/01/24-20:39:11.112	TRACE_LEVEL_INFORMATION	++ Device AC7A4D2819AC name: PLAYSTATION(R)3 Controller
    2019/01/24-20:39:11.112	TRACE_LEVEL_VERBOSE	++ Found desired connection item in connection list
    2019/01/24-20:39:11.112	TRACE_LEVEL_VERBOSE	L2CAP_PS3_SendConnectResponse Exit (STATUS_SUCCESS (0x00000000))
    2019/01/24-20:39:11.112	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Exit
    2019/01/24-20:39:11.112	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Entry (Indication: 0x0, Context: 0xFFFFFA8007488780)
    2019/01/24-20:39:11.112	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Exit
    2019/01/24-20:39:11.121	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Entry (Indication: 0x4, Context: 0xFFFFFA8007488780)
    2019/01/24-20:39:11.121	TRACE_LEVEL_INFORMATION	L2CAP_PS3_ConnectionIndicationCallback ++ IndicationRemoteConfigRequest
    2019/01/24-20:39:11.121	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Exit
    --- DS3 connected ---
    
    --- DS3 disconnecting (by holding PS button for 10 seconds) ---
    2019/01/24-20:39:35.193	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Entry (Indication: 0x3, Context: 0xFFFFFA8007488780)
    2019/01/24-20:39:35.193	TRACE_LEVEL_VERBOSE	++ IndicationRemoteDisconnect [0xFFFFFA80073F9CE0]
    2019/01/24-20:39:35.193	TRACE_LEVEL_VERBOSE	++ HID Interrupt Channel 0xFFFFFA80073F9CE0 disconnected
    2019/01/24-20:39:35.193	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Exit
    2019/01/24-20:39:35.196	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Entry (Indication: 0x3, Context: 0xFFFFFA8007488780)
    2019/01/24-20:39:35.196	TRACE_LEVEL_VERBOSE	++ IndicationRemoteDisconnect [0xFFFFFA800775E170]
    2019/01/24-20:39:35.196	TRACE_LEVEL_VERBOSE	++ HID Control Channel 0xFFFFFA800775E170 disconnected
    2019/01/24-20:39:35.196	TRACE_LEVEL_VERBOSE	ClientConnections_RemoveAndDestroy Entry (Context: 0xFFFFFA8007488780)
    2019/01/24-20:39:35.196	TRACE_LEVEL_VERBOSE	++ Found desired connection item in connection list
    2019/01/24-20:39:35.196	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Exit
    2019/01/24-20:39:35.196	TRACE_LEVEL_VERBOSE	EvtClientConnectionsDestroyConnection Entry
    2019/01/24-20:39:35.619	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Entry (Indication: 0x1, Context: 0xFFFFFA8007488780)
    2019/01/24-20:39:35.619	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Exit
    2019/01/24-20:39:35.619	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Entry (Indication: 0x1, Context: 0xFFFFFA8007488780)
    2019/01/24-20:39:35.619	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Exit
    --- DS3 disconnected ---
    

    'till next time 👋



  • Device identification and connection drop on error/incompatibility implemented and working 😇

    2019/01/25-18:16:35.587	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Entry
    2019/01/25-18:16:35.587	TRACE_LEVEL_INFORMATION	New connection for PSM 0x5053 from AC7A4D2819AC arrived
    2019/01/25-18:16:35.587	TRACE_LEVEL_VERBOSE	L2CAP_PS3_HandleRemoteConnect Entry
    2019/01/25-18:16:35.588	TRACE_LEVEL_ERROR	BTHPS3_GET_DEVICE_NAME failed with status STATUS_INVALID_PARAMETER (0xC000000D), dropping connection
    2019/01/25-18:16:35.588	TRACE_LEVEL_VERBOSE	L2CAP_PS3_DenyRemoteConnect Entry
    2019/01/25-18:16:35.588	TRACE_LEVEL_VERBOSE	L2CAP_PS3_DenyRemoteConnectCompleted Entry (STATUS_SUCCESS (0x00000000))
    2019/01/25-18:16:35.588	TRACE_LEVEL_VERBOSE	L2CAP_PS3_DenyRemoteConnectCompleted Exit
    2019/01/25-18:16:35.588	TRACE_LEVEL_VERBOSE	L2CAP_PS3_DenyRemoteConnect Exit
    2019/01/25-18:16:35.588	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Exit
    2019/01/25-18:16:36.188	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Entry
    2019/01/25-18:16:36.188	TRACE_LEVEL_INFORMATION	New connection for PSM 0x5053 from AC7A4D2819AC arrived
    2019/01/25-18:16:36.188	TRACE_LEVEL_VERBOSE	L2CAP_PS3_HandleRemoteConnect Entry
    2019/01/25-18:16:36.188	TRACE_LEVEL_INFORMATION	++ Device AC7A4D2819AC name: PLAYSTATION(R)3 Controller
    2019/01/25-18:16:36.188	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Entry (Indication: 0x0, Context: 0xFFFFFA8008FDB5B0)
    2019/01/25-18:16:36.188	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Exit
    2019/01/25-18:16:36.188	TRACE_LEVEL_VERBOSE	L2CAP_PS3_HandleRemoteConnect Exit (STATUS_SUCCESS (0x00000000))
    


  • Marvelous terrible quality video demonstrating that DS4 and DS3 can live together in peace on the default Bluetooth host driver:

    Youtube Video

    In typical USB-fashion the darn plug didn't want to go into the socket in one go 🤦 and the room didn't have enough light to combat the bright screen causing the camera to adjust exposure so it all went a bit too dark 😅

    What's happening in the video:

    • Bluetooth host USB dongle gets plugged in, default Window driver, filter and profile driver get loaded
    • DS4 gets paired in PC-mode and works as expected
    • DS3 gets powered on by tap on PS button and connects (there is no output report sent yet so the LEDs will keep flashing although it has connected successfully)
    • DS4 continues to work unimpressed by second device, so no interference
    • DS3 gets force-shut-off by holding PS button for around ten seconds
    • DS4 continues to work after DS3 has left the building

    So far not so shabby! 🎉



  • Managed to send it the first output report, now the LEDs stay bright on 😃

    2019/02/01-02:39:55.177	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Entry
    2019/02/01-02:39:55.177	TRACE_LEVEL_INFORMATION	New connection for PSM 0x5053 from AC7A4D2819AC arrived
    2019/02/01-02:39:55.177	TRACE_LEVEL_VERBOSE	L2CAP_PS3_HandleRemoteConnect Entry
    2019/02/01-02:39:55.177	TRACE_LEVEL_ERROR	BTHPS3_GET_DEVICE_NAME failed with status STATUS_INVALID_PARAMETER (0xC000000D), dropping connection
    2019/02/01-02:39:55.177	TRACE_LEVEL_VERBOSE	L2CAP_PS3_DenyRemoteConnect Entry
    2019/02/01-02:39:55.177	TRACE_LEVEL_VERBOSE	L2CAP_PS3_DenyRemoteConnectCompleted Entry (STATUS_SUCCESS (0x00000000))
    2019/02/01-02:39:55.177	TRACE_LEVEL_VERBOSE	L2CAP_PS3_DenyRemoteConnectCompleted Exit
    2019/02/01-02:39:55.177	TRACE_LEVEL_VERBOSE	L2CAP_PS3_DenyRemoteConnect Exit
    2019/02/01-02:39:55.177	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Exit
    2019/02/01-02:39:55.757	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Entry
    2019/02/01-02:39:55.757	TRACE_LEVEL_INFORMATION	New connection for PSM 0x5053 from AC7A4D2819AC arrived
    2019/02/01-02:39:55.757	TRACE_LEVEL_VERBOSE	L2CAP_PS3_HandleRemoteConnect Entry
    2019/02/01-02:39:55.757	TRACE_LEVEL_INFORMATION	++ Device AC7A4D2819AC name: PLAYSTATION(R)3 Controller
    2019/02/01-02:39:55.757	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Entry (Indication: 0x0, Context: 0xFFFFFA8007378CA0)
    2019/02/01-02:39:55.757	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Exit
    2019/02/01-02:39:55.757	TRACE_LEVEL_VERBOSE	L2CAP_PS3_HandleRemoteConnect Exit (STATUS_SUCCESS (0x00000000))
    2019/02/01-02:39:55.757	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Exit
    2019/02/01-02:39:55.764	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ControlConnectResponseCompleted Entry
    2019/02/01-02:39:55.764	TRACE_LEVEL_INFORMATION	Connection completion, status: STATUS_SUCCESS (0x00000000)
    2019/02/01-02:39:55.764	TRACE_LEVEL_INFORMATION	HID Control Channel connection established
    2019/02/01-02:39:55.764	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ControlConnectResponseCompleted Exit
    2019/02/01-02:39:55.772	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Entry
    2019/02/01-02:39:55.772	TRACE_LEVEL_INFORMATION	New connection for PSM 0x5055 from AC7A4D2819AC arrived
    2019/02/01-02:39:55.772	TRACE_LEVEL_VERBOSE	L2CAP_PS3_HandleRemoteConnect Entry
    2019/02/01-02:39:55.772	TRACE_LEVEL_INFORMATION	++ Device AC7A4D2819AC name: PLAYSTATION(R)3 Controller
    2019/02/01-02:39:55.772	TRACE_LEVEL_VERBOSE	++ Found desired connection item in connection list
    2019/02/01-02:39:55.772	TRACE_LEVEL_VERBOSE	L2CAP_PS3_HandleRemoteConnect Exit (STATUS_SUCCESS (0x00000000))
    2019/02/01-02:39:55.772	TRACE_LEVEL_VERBOSE	BthPS3IndicationCallback Exit
    2019/02/01-02:39:55.772	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Entry (Indication: 0x0, Context: 0xFFFFFA8007378CA0)
    2019/02/01-02:39:55.772	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Exit
    2019/02/01-02:39:55.781	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Entry (Indication: 0x4, Context: 0xFFFFFA8007378CA0)
    2019/02/01-02:39:55.781	TRACE_LEVEL_INFORMATION	L2CAP_PS3_ConnectionIndicationCallback ++ IndicationRemoteConfigRequest
    2019/02/01-02:39:55.781	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionIndicationCallback Exit
    2019/02/01-02:39:55.784	TRACE_LEVEL_VERBOSE	L2CAP_PS3_InterruptConnectResponseCompleted Entry
    2019/02/01-02:39:55.784	TRACE_LEVEL_INFORMATION	Connection completion, status: STATUS_SUCCESS (0x00000000)
    2019/02/01-02:39:55.784	TRACE_LEVEL_INFORMATION	HID Interrupt Channel connection established
    2019/02/01-02:39:55.784	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionStateConnected Entry
    2019/02/01-02:39:55.784	TRACE_LEVEL_VERBOSE	L2CAP_PS3_ConnectionStateConnected Exit
    2019/02/01-02:39:55.784	TRACE_LEVEL_VERBOSE	L2CAP_PS3_InterruptConnectResponseCompleted Exit
    2019/02/01-02:39:55.785	TRACE_LEVEL_VERBOSE	Control transfer request completed with status STATUS_SUCCESS (0x00000000)
    


  • Biggest struggle in this project so far 😆

    1bd58b96-8320-4453-b860-2170d0b5b56c-image.png



  • Couldn't fall asleep last night, implemented bus enumerator instead:

    Youtube Video

    What's going on in the video: once the connection of both HID Control and Interrupt channels has been established, the wonderful KMDF bus driver API kicks in and spawns a new PNP device:

    WDF_CHILD_IDENTIFICATION_DESCRIPTION_HEADER_INIT(
            &pdoDesc.Header,
            sizeof(PDO_IDENTIFICATION_DESCRIPTION)
        );
    
    pdoDesc.RemoteAddress = ClientConnection->RemoteAddress;
    pdoDesc.DeviceType = ClientConnection->DeviceType;
    
    //
    // Invoke new child creation
    // 
    status = WdfChildListAddOrUpdateChildDescriptionAsPresent(
    	WdfFdoGetDefaultChildList(ClientConnection->DevCtxHdr->Device),
    	&pdoDesc.Header,
    	NULL
    );
    

    In order to de-clutter the profile/bus driver I decided to outsource the device-specific logic into one or more additional function drivers, introducing IOCTLs to fetch data from and send to the PDOs without having to deal with Bluetooth-specific paradigms at all. I've introduced artificial GUID-based hardware IDs for every distinct device:

    • DS_DEVICE_TYPE_SIXAXIS - SIXAXIS or DualShock 3 compatible (including 3rd party controllers)
    • DS_DEVICE_TYPE_NAVIGATION - PlayStation Move Navigation Controller
    • DS_DEVICE_TYPE_MOTION - PlayStation Move Motion Controller
    • DS_DEVICE_TYPE_WIRELESS - DualShock 4 Revision 1 or 2 Wireless Controller

    On a personal note; I'm quite pleased about the pacing here, implementing the bus logic was done almost entirely from memory and implemented once again without crashing the test host 👏



  • A lot of progress was made today. Nothing much to present yet but I've basically started to design and implement the interface that will be used to talk to the exposed PDOs via own function driver. This causes the code base for the profile driver remain encapsulated for Bluetooth related stuff only. Higher level functions (HID mini-driver, LED, Rumble, ...) will then be implemented by one or more individual function drivers latching onto the PDOs.

    Cheers



  • Wrapped all necessary driver (un-)installation tasks in a small self-contained tool and finished proper error handling:

    cd8e8aa4-2962-427e-903a-a514d6ce6085-image.png

    This tool can then assist a setup in automating the installation and also making test installations more bearable 😉

    What happens in the picture for each line:

    • BluetoothSetLocalServiceInfo is invoked which causes bthenum to spawn a PDO for the profile driver to latch onto
    • Bluetooth profile driver gets installed in driver store and device driver installation for newly spawned PDO gets kicked off
    • bthusb lower filter driver service (BthPS3PSM) gets created
    • BthPS3PSM gets added as lower filter driver for GUID_DEVCLASS_BLUETOOTH device class
    • Same action is invoked again, leading to a different response
    • Service creation is invoked again, failing because it's already registered

    That'll be all for today, folks! 🤠


Log in to reply